Another year, another Netflix email scam: Phishing email impersonating Netflix leads to fake PayPal-branded phishing page

Posted by Akankasha Dewan on 02 February 2021 14:24:16 AEDT

As another year begins, Netflix continues to be a favourite among cybercriminals looking to trick users. The popular entertainment company has once again been impersonated in a phishing email scam intercepted by MailGuard.

These malicious emails are infiltrating inboxes using a display name of ‘Netflix Membership’ and are titled ‘We recently detected an issue with the billing information associated with your Account’. However, the sender email address provided in the “From:” field doesn’t use a domain belonging to Netflix – a huge red flag pointing to the email’s illegitimacy. The emails are actually sent from a compromised account based overseas.

The email body addresses the recipient directly and includes Netflix’s branding and logo. It informs recipients that 'payment for the next billing cycle' of their subscription could not be authorised, and as such, their membership has been suspended. Recipients are advised to update their details via a button titled ‘Login To Get Started’, and the email ends with a footer advising recipients not to reply to the email directly.

Here’s what the email looks like:


Recipients who click on the button are led to an intermediary page that automatically redirects to a login page asking users for their email address and password. As you can see from the screenshot below, this page is designed to look like a legitimate page belonging to Netflix:

Netflix_login page-0221

Interestingly, the domain used in the page’s URL doesn’t belong to the company. This is actually a phishing page hosted on a compromised website. Once users “sign in” to their accounts, their credentials are harvested and they are led to the following page asking them to choose their method of payment, as per the below:

Netflix - confirm payment - 0221

Clicking on either option leads users to another page prompting them for their payment details. Depending on the option chosen by the users, this page asks them either for their credit card information or their PayPal credentials, as per the screenshots below:

Netflix - confirm credit card-0221


These are also phishing pages that are designed to harvest users' confidential banking information. After users input their details as required in the fields above, they are led to a Netflix-branded confirmation page informing them they have ‘restored access’ to their account. Here's what the page looks like:


Clicking ‘Home’ finally leads users to Netflix’s actual homepage.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to exercise caution when opening messages, and to be extra vigilant against this kind of cyber-attack. If you see an email from Netflix, please make sure it is a legitimate communication before you open it. Please share this alert with your social media network to help us make the people aware of the threat.

Netflix is a regular target for cybercriminals. With more than 203 million subscribers worldwide, there’s a high likelihood that many of those that are receiving the email are subscribers and that a portion of those will be too time poor to check the details in the email. Over the years, MailGuard has regularly intercepted Netflix-themed email scams, including in:

In this particular scam, cybercriminals have employed the following techniques to trick users:

  • The use of an alarming subject line and body; informing recipients that their account has been suspended creates a sense of urgency and anxiety, motivating users to take action immediately without checking on the email’s authenticity,

  • The mention of the recipient’s name and email address in the email body; this helps convince users that the email isn’t a generic notification but is actually addressed to them, further boosting its legitimacy, and

  • The inclusion of high-quality branding elements belonging to Netflix; As you can see from the screenshots above, cybercriminals have gone to great efforts to incorporate the exact colour scheme, logo, fonts and popular imagery commonly found on Netflix pages in a bid to convince users that the email is authentic, and that it actually originates from the entertainment company. The use of a display name like ’Netflix Membership’ is also an attempt to convince the recipient that the email is, in fact, coming from a credible source associated with Netflix.

Besides the above, the inclusion of PayPal’s logo and branding is also intentional. Being a widely used and trusted online payments service supporting a plethora of online stores, PayPal is a popular target for cybercriminals, especially as more users shop online due to the closure of many physical stores during the COVID-19 pandemic. Many of us rely on PayPal as a trusted means of making and receiving payments securely, so most of us wont think twice when asked to insert our PayPal details, as in this case. Cybercriminals behind this scam are leveraging on PayPal’s trusted reputation to further convince users that the email and its links are legitimate, motivating them to provide their confidential financial details. In addition, scams that are initiated from compromised accounts (like this one) are particularly dangerous, because the emails are sent from a legitimate account, so they are not likely to be blocked by email security services.

How to know if an email or text is actually from Netflix?

Netflix lists the following advice on its support page:

  • We will never ask you to enter your personal information in a text or email. This includes:
    • Credit or debit card numbers
    • Bank account details
    • Netflix passwords
  • We will never request payment through a 3rd party vendor or website.
  • If the text or email links to a URL that you don't recognize, don't tap or click it. If you did already, do not enter any information on the website that opened.

More information can be found here:


As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates



Topics: Phishing PayPal email scams Netflix scam; fraud fastbreak

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all